Solved Facebook virus/malware? sed.exe fdsv.exe grep.exe

[falkeri]

Hello,

Apparently I recently got one of those facebook viruses that makes me spam my friends with annoying messages. Not really sure how that happened, but it prompted me to go virus hunting.

I found a group of suspicious .exe's in my C:Windows directory,
sed.exe
fdsv.exe
zip.exe
grep.exe
NIRCMD.exe
swreg.exe
vfind.exe

And there may actually have been one or two more, all had been 'modified' on a date well before the creation of this computer (year 2000). I just deleted them all, but afterwards did a google search and someone mentioned they are rootkits? Not really sure what a rootkit actually is to be honest so I'm not sure if just deleting them was sufficient?

And I have no idea if they were related to my facebook virus? I can't really seem to find much info on these guys anywhere, does anyone know what they are?

I'm attaching my hijack this, malware bytes, and superantispyware logs.

Thanks!

 

[Broni]

First of all, you don't delete some random files, if you have no clue what exactly you're doing.
Secondly, your Malwarebytes log says "No action taken" after each line. Re-run MBAM, make sure, you fix all issues and post fresh MBAM log.
Thirdly, you don't have any antivirus program installed.
Download and install ONE of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
After installation, run full scan.

Let me know, when you're done.

 

[falkeri]

Sorry,

You're right about #1, I shouldn't have just deleted them.

About #2, malwarebytes found 4 problems, 1 was accelfix.exe which is a program that I know. And the other 3 were just notifications that I disabled on purpose.

#3, you're right, I choose not to use real time anti-virus because I find it to be a nuisance. I downloaded and installed Prevx 3.0 a few hours ago, and it turned up nothing but files that I know to be safe. I also ran symantec's online scan, which gave the same results. I suppose I'll try the Avira scan in the mean time while I wait.

Thanks for the reply.

 

[Broni]

1 was accelfix.exe which is a program that I know

Upload the file here: http://www.virustotal.com/
Post scan results.

Unfortunately, if you refuse to install AV program, I refuse to help you, because I have no time for cleaning some computer, which, without any AV installed, will get infected again in no time.

 

[falkeri]

I don't refuse to install AV software, I installed and ran Prevx, and I just installed Avira as suggested.

The accelfix scan analysis is here: http://www.virustotal.com/analisis/...69ee87277bff03c76953c0af25ffcd4838-1265617170

It's a tiny program written to remove the latent mouse acceleration in windows xp.

 

[Bobbye]

Not to interfere with anything Broni will be doing with you- just comments:

It's a tiny program written to remove the latent mouse acceleration in windows xp.

Surely you looked at the log and found that\ this 'tiny program' is/was infected with malware!!

No AV because it's a nuisance, but you come here to have us clean up the malware? Something isn't balancing out here!

Sorry, Broni- should have sat on my fingers!

 

[falkeri]

Sigh, this is actually precisely one of the reasons that real time anti-virus is a nuisance, always telling me things are a virus when they aren't.

The file can be downloaded here: http://razerblueprints.net/index.ph...html?dir=DESC&limit=5&limitstart=5&order=name including it's source code

The 11 page thread leading up to it's creation can be found here http://razerblueprints.net/index.php/component/option,com_smf/Itemid,99/topic,3823.90/

And the 18 page thread following it's creation can be found here http://razerblueprints.net/index.php/component/option,com_smf/Itemid,48/topic,4788.0/

Feel free to read the code, compile it and scan it yourself.

Despite my not running real time AV for the past 6 years or so, my machine is really not riddled with malware. I've showed you multiple scans I've done that have found nothing of substance, I don't understand why my not running realtime AV should insult you so much?

I don't mean to come off as sounding rude, I realize that you guys are volunteers just trying to help people.

 

[Bobbye]

P2P or 'file sharing Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall BitComet for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.
========================================
O8 - Extra context menu item: &D&ownload &with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://H:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - H:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll

 

[Broni]

The website, you mentioned: http://razerblueprints.net/index.ph...html?dir=DESC&limit=5&limitstart=5&order=name is listed as "Excellent" by WOT: http://www.mywot.com/en/scorecard/razerblueprints.net, so I'll take your word for the program as being safe.
I agree, some scripts will be flagged by heuristic part of AV engines. Happened to me.

As for AV program, I stay firm in my position.
Every AV program has a list of exclusions, which you can manage.
I have couple of files in my Avast exclusion list. I know, they're safe, but Avast flags them as bad files.

So, let's go back to your case....

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[falkeri]

Done, here are the files!

Thanks again!

 

[Broni]

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

 

[falkeri]

Hm you said copy and paste but it's kind of long, I've attached it instead, hope that's OK.

 

[Broni]

Download and save HelpAsst_mebroot_fix.exe to your desktop.

• Close all open programs.
• Double click HelpAsst_mebroot_fix.exe to run it.
• Pay attention to the running tool.
• If the tool detects mbr infection, please allow it to run mbr -f and shutdown your computer. To do so, type Y and press Enter.
• After restart, wait 5 minutes, then go Start>Run, copy and paste the following command in the run box then hit Enter:
  • 
    helpasst -mbrt
• When it completes, a log will open.
• Please post the contents of that log.

IMPORTANT!
If the tool does NOT detect any mbr infection and completes, proceed with the following...

• Click Start>Run and copy and paste the following command, then hit Enter:
  • 
    mbr -f
• Repeat the above step one more time
• Now shut down the computer (do not restart, but shut it down), wait 5 minutes then start it back up.
• Wait another 5 minutes, then click Start>Run and copy and paste the following command, then hit Enter.
  • 
    helpasst -mbrt
    
• When it completes, a log will open.
• Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

 

[falkeri]

Never told me it detected anything when it ran but there is something in the log.

I think atapi is supposed to be dvd-rom drivers? Not sure tho.

 

[Broni]

PLease, re-run Combofix and post fresh log.

 

[falkeri]

Done, here's the log.

 

[Broni]

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::


Folder::

Driver::

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=-
"NoSMMyDocs"=-
"NoSMMyPictures"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=-


RegLockDel::

MBR::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

 

[falkeri]

Hm ok so I did as you instructed, it didn't go as smoothly as I intended though.

I dragged the script and Combofix automatically ran, before I disabled my HIPS and firewall. It rebooted to disable drive emulators and when it rebooted the HIPS and firewall were still active, it said it detected rootkits and rebooted again, but it froze on reboot so I hard booted after waiting about 15 minutes. It ran a scan when it booted back up and here's the log, along with a new hijackthis. I don't know if I should repeat the steps with the script and hope it goes better this time or no?

 

[Broni]

Download RootRepeal.zip (Mirror1, Mirror2) and unzip it to your Desktop.

• Double click RootRepeal.exe to start the program
• Click on the Report tab at the bottom of the program window
• Click the Scan button
• In the Select Scan dialog, check:
  • 
    [*]Drivers
    [*]Files
    [*]Processes
    [*]SSDT
    [*]Stealth Objects
    [*]Hidden Services
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
  
  Note: The scan can take some time. DO NOT run any other programs while the scan is running​
• When the scan is complete, the Save Report button will become available
• Click this and save the report to your Desktop as RootRepeal.txt
• Go to File, then Exit to close the program

Open RootRepeal.txt file with Notepad, copy, and paste all content into your next reply.

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

 

[falkeri]

The scan has been running for at least 4 hours now. I think more like 5. Is it supposed to take that long? I do have like 5 drives...

It doesn't show anything in the window though, says 'initializing, please wait...' below the main window and 'scanning...' at the very bottom.

Computer is not frozen I can see processor activity fluctuating in PriFinity.

 

[Broni]

Stop the process...


Please download Sophos Anti-rootkit & save it to your desktop.

IMPORTANT!

• Disconnect from the Internet or physically unplug you Internet cable connection.
• Clean out your temporary files.
• Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
• Temporarily disable your anti-virus and real-time anti-spyware protection.
• After starting the scan, do not use the computer until the scan has completed.
• When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

• Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
• Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
• A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
• Make sure the following are checked:
  
  • Running processes
  • Windows Registry
  • Local Hard Drives
  
  
• Click Start scan.
• Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
• When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
• Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
  
  • Files tagged as Removable: No are not marked for removal and cannot be removed.
  • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
  • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  
  
• Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
• A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
• After reboot, a dialog box displays the files you selected for removal and the action taken.
• Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
• When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
• This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\

 

[falkeri]

Sophos scan completed, it only found 3 files. Didn't recommend cleaning any of them:

Sophos Anti-Rootkit Version 1.5.0 (c) 2009 Sophos Plc
Started logging on 4/3/2010 at 18:41:02 PM
User "Julian" on computer "#######"
Windows version 5.1 SP 2.0 Service Pack 2 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Documents and Settings\Julian\Application Data\SecuROM\UserData\???????????p?????????
Hidden: file C:\Documents and Settings\Julian\Application Data\SecuROM\UserData\???????????p?????????
Info: Starting disk scan of F: (NTFS).
Info: Starting disk scan of G: (NTFS).
Info: Starting disk scan of H: (NTFS).
Info: Starting disk scan of L: (NTFS).
Stopped logging on 4/3/2010 at 20:13:49 PM

 

[Broni]

Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

* Doubleclick mbr.exe and follow prompts (Vista users: right click on mbr.exe and click "Run As Administrator").
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log (mbr.log) file to your next reply.

 

[falkeri]

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

 

[Broni]

OK. This is good

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

======================================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.